We’re currently exploring how to support multiple SAML Identity Providers (IDPs) within IIQ, but have hit some constraints. As I understand it, IIQ only supports a single SAML IDP out of the box, with a fixed redirect flow for SSO.
Here are some key questions we’re hoping to get guidance on:
Is it possible to support multiple SAML IDPs in IIQ?
Can this be implemented using a plugin, perhaps by intercepting the authentication flow?
How could we dynamically select which IDP to redirect a user to?
Based on username or domain?
Through a custom login page?
We’d love to know if anyone has successfully implemented this kind of setup or has any recommendations on best practices.
You’re absolutely right that out-of-the-box, SailPoint IdentityIQ (IIQ) supports only a single SAML Identity Provider (IdP) configuration. However, there are a few approaches that can help you support multiple IdPs:
Plugin or Custom Rule-Based Approach
Custom Authentication Plugin: You can intercept the authentication flow using a custom plugin or servlet filter. This would allow you to dynamically redirect users to different IdPs based on logic you define.
Rule-Based SSO: IIQ supports rule-based SSO, which lets you define a rule to match a user to an IdP based on attributes like username, domain, or other request parameters. This is documented in SailPoint’s SSO SSO Configuration guide.